SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:890-1 Container Tags : bci/golang:1.21 , bci/golang:1.21-2.2.25 , bci/golang:oldstable , bci/golang:oldstable-2.2.25 Container Release : 2.25 Severity : important Type : security References : 1212475 1212475 1219988 1220385 1220999 1221000 1221001 1221002 1221003 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:734-1 Released: Thu Feb 29 13:16:38 2024 Summary: Recommended update for go1.21 Type: recommended Severity: moderate References: 1212475 This update for go1.21 fixes the following issues: go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command, the runtime, and the crypto/x509 package. (bsc#1212475 go1.21 release tracking) * go#63209 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21 * go#63768 runtime: pinner.Pin doesn't panic when it says it will * go#64497 cmd/go: flag modcacherw does not take effect in the target package * go#64761 staticlockranking builders failing on release branches on LUCI * go#64935 runtime: 'traceback: unexpected SPWRITE function runtime.systemstack' * go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests * go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params * go#65323 crypto: rollback BoringCrypto fips-20220613 update * go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module * go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder * go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:766-1 Released: Tue Mar 5 13:50:28 2024 Summary: Recommended update for libssh Type: recommended Severity: important References: 1220385 This update for libssh fixes the following issues: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:811-1 Released: Fri Mar 8 08:43:12 2024 Summary: Security update for go1.21 Type: security Severity: important References: 1212475,1219988,1220999,1221000,1221001,1221002,1221003,CVE-2023-45289,CVE-2023-45290,CVE-2024-24783,CVE-2024-24784,CVE-2024-24785 This update for go1.21 fixes the following issues: - Upgrade go to version 1.21.8 - CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (bsc#1221000) - CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm (bsc#1221001) - CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm (bsc#1220999) - CVE-2024-24784: net/mail: comments in display names are incorrectly handled (bsc#1221002) - CVE-2024-24785: html/template: errors returned from MarshalJSON methods may break template escaping (bsc#1221003) The following package changes have been done: - libssh-config-0.9.8-150400.3.6.1 updated - libssh4-0.9.8-150400.3.6.1 updated - go1.21-doc-1.21.8-150000.1.27.1 updated - go1.21-1.21.8-150000.1.27.1 updated - go1.21-race-1.21.8-150000.1.27.1 updated - container:sles15-image-15.0.0-36.11.10 updated - aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 removed - cpio-2.13-150400.3.6.1 removed - cracklib-2.9.7-11.6.1 removed - cracklib-dict-small-2.9.7-11.6.1 removed - diffutils-3.6-4.3.1 removed - fillup-1.42-2.18 removed - findutils-4.8.0-1.20 removed - grep-3.1-150000.4.6.1 removed - gzip-1.10-150200.10.1 removed - libaudit1-3.0.6-150400.4.13.1 removed - libblkid1-2.37.4-150500.9.3.1 removed - libcap-ng0-0.7.9-4.37 removed - libcrack2-2.9.7-11.6.1 removed - libdw1-0.185-150400.5.3.1 removed - libeconf0-0.5.2-150400.3.6.1 removed - libelf1-0.185-150400.5.3.1 removed - libfdisk1-2.37.4-150500.9.3.1 removed - libgcrypt20-1.9.4-150500.10.19 removed - libgcrypt20-hmac-1.9.4-150500.10.19 removed - libgpg-error0-1.42-150400.1.101 removed - liblua5_3-5-5.3.6-3.6.1 removed - liblz4-1-1.9.3-150400.1.7 removed - libmount1-2.37.4-150500.9.3.1 removed - libnsl2-1.2.0-2.44 removed - libpopt0-1.16-3.22 removed - libsemanage1-3.1-150400.1.65 removed - libsepol1-3.1-150400.1.70 removed - libsmartcols1-2.37.4-150500.9.3.1 removed - libsystemd0-249.17-150400.8.40.1 removed - libtirpc-netconfig-1.3.4-150300.3.23.1 removed - libtirpc3-1.3.4-150300.3.23.1 removed - libutempter0-1.1.6-3.42 removed - libuuid1-2.37.4-150500.9.3.1 removed - libxml2-2-2.10.3-150500.5.14.1 removed - login_defs-4.8.1-150400.10.12.1 removed - ncurses-utils-6.1-150000.5.20.1 removed - pam-1.3.0-150000.6.66.1 removed - perl-base-5.26.1-150300.17.14.1 removed - permissions-20201225-150400.5.16.1 removed - rpm-config-SUSE-1-150400.14.3.1 removed - rpm-ndb-4.14.3-150400.59.7.1 removed - sed-4.4-11.6 removed - shadow-4.8.1-150400.10.12.1 removed - sles-release-15.5-150500.43.4 removed - system-group-hardware-20170617-150400.24.2.1 removed - sysuser-shadow-3.2-150400.3.5.3 removed - tar-1.34-150000.3.34.1 removed - timezone-2023c-150000.75.23.1 removed - util-linux-2.37.4-150500.9.3.1 removed